Refresh tokens have same expiration as access tokens?


#1

Hi guys,

Having some trouble with refresh tokens, could I confirm my findings are as expected?

  1. Refresh tokens have the same expiration (exp) time as access tokens according to the introspect endpoint
  2. A successful call to /oauth2/revoke for an access token also deactivates the refresh token

If the above is expected, is there some configuration that allows for refresh tokens that don’t expire?

Version: v1.0.0-beta.9
Git Hash: f359d0809badec1219d4678afe54ae628b0bdf70
Build Time: 2018-09-01T13:28:52Z

Thanks for hydra, it seems like a perfect fit for our use-case!

  • PPK

#2

Refresh tokens do not have an expire time. The response from introspection is a bug (please create an issue on github!). Refresh tokens are invaldiated with acces tokens on revolation.


#3

Bug reported here: https://github.com/ory/hydra/issues/1025

Thanks for the clarification